CERTVU:970472Network Time Protocol ([x]ntpd) daemon contains buffer overflow in ntp_control:ctl_getitem() function
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.968 High
EPSS
Percentile
99.7%
Overview
There is a buffer overflow defect in the ctl_getitem() function of the Network Time Protocol (NTP) daemon responsible for providing accurate time reports used for synchronizing the clocks on installed systems. All NTP daemons based on code maintained at the University of Delaware since NTPv2 are assumed at risk.
Description
The buffer overflow condition appears in the ctl_getitem() function in ntp_control.c, the NTP control code. Because the ntp protocol uses UDP, attacks attempting to exploit this vulnerability will likely be spoofed.
Impact
It has been reported that a remote intruder can execute arbitrary code with the default privileges on the running daemon, typically root. While this report is still being evaluated, crashing of the NTP daemon has been confirmed.
Solution
Apply patches supplied by your vendor
Until patches can be applied, the CERT/CC strongly urges affected sites to block ntp requests (123/{tcp,udp}) at their network perimeter or disable ntpd altogether. It is unclear at this time if using secured NTP services provides a full defense against all attacks attempting to exploit this vulnerability.
Vendor Information
970472
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Berkeley Software Design, Inc. __ Affected
Updated: April 10, 2001
Status
Affected
Vendor Statement
The version of ntp shipped with BSD/OS is vulnerable to this problem
so sites which have configured ntpd should update to the patched version
available from BSDI's web, ftp or patches servers.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970472 Feedback>).
Compaq Computer Corporation __ Affected
Notified: April 05, 2001 Updated: May 03, 2001
Status
Affected
Vendor Statement
====================================================
TITLE: SSRT1-85U - xntpd potential buffer overflow
SOURCE: Compaq Computer Corporation,
Software Security Response Team
Date: 02-MAY-2001
SEVERITY: HIGH
PROBLEM STATEMENT SUMMARY:
Compaq continues to take a serious approach to the quality
and security of all its software products and makes every
effort to address issues and provide solutions in a timely
manner. In line with this commitment, Compaq is responding
to recent concerns of a potential buffer overflow with xntpd.
The Network Time Protocol daemon for Compaq Tru64 UNIX
contains a potential buffer overflow (even though it would be
difficult to exploit) that may allow unauthorized access to bin
privileges.
IMPACT:
Compaq’s Tru64 UNIX V4.0d, V4.0f, V4.0g, V5.0, V5.0a, V5.1
SOLUTION:
Compaq Tru64 UNIX engineering has provided a fix for this
potential problem.
NOTE: The solutions will be included in future releases of
Tru64 UNIX aggregate patch kits. Until that has happened
the kits identified should be reinstalled accordingly after an
upgrade to any affected version listed.
The patches identified are available from the Compaq FTP site
_<http://ftp1.support.compaq.com/public/dunix/>_ then choose the
version directory needed and search for the patch by name.
Please review the applicable readme and install files prior
to installation.
Patches:
V4.0D: DUV40D16-C0058302-10580-20010430.tar
V4.0F: DUV40F16-C0042002-10579-20010430.tar
V4.0G: T64V40G16-C0003502-10577-20010430.tar
V5.0: T64V5016-C0006102-10575-20010430.tar
V5.0A: T64V50A16-C0010402-10574-20010430.tar
V5.1: T64V513-C0027202-10573-20010430.tar
NOTE: A patch for Compaq Tru64 UNIX V4.0e is not available
as it is no longer supported by Compaq. If you require a patch
for V4.0e please contact your normal Compaq Services channel.
Compaq appreciates your cooperation and patience. We regret any
inconvenience applying this information may cause.
As always, Compaq urges you to periodically review your system
management and security procedures. Compaq will continue to
review and enhance the security features of its products and work
with customers to maintain and improve the security and integrity
of their systems.
© Copyright 2001 Compaq Computer Corporation. All rights reserved
To subscribe to automatically receive future NEW Security
Advisories from the Compaq’s Software Security Response Team
via electronic mail,
Use your browser select the URL
_<http://www.support.compaq.com/patches/mailing-list.shtml>_
Select “Security and Individual Notices” for immediate dispatch
notifications directly to your mailbox.
To report new Security Vulnerabilities, send mail to:
[email protected]
COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS MAKE
NO REPRESENTATIONS ABOUT THE SUITABILITY OF
THE INFORMATION CONTAINED IN THE DOCUMENTS
AND RELATED GRAPHICS AND/OR SOFTWARE PUBLISHED
ON THIS SERVER FOR ANY PURPOSE. ALL SUCH
DOCUMENTS AND RELATED GRAPHICS ARE PROVIDED
“AS IS” WITHOUT WARRANTY OF ANY KIND AND ARE
SUBJECT TO CHANGE WITHOUT NOTICE. THE ENTIRE RISK
ARISING OUT OF THEIR USE REMAINS WITH THE RECIPIENT.
IN NO EVENT SHALL COMPAQ AND/OR ITS RESPECTIVE
SUPPLIERS BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL,
INCIDENTAL, SPECIAL, PUNITIVE OR OTHER DAMAGES
WHATSOEVER (INCLUDING WITHOUT LIMITATION,
DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS
INTERRUPTION, OR LOSS OF BUSINESS INFORMATION),
EVEN IF COMPAQ HAS BEEN ADVISED OF THE POSSIBILITY
OF SUCH DAMAGES.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Previously is was reported Tru64 and OpenVMS were not vulnerable to this probem.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970472 Feedback>).
Debian Linux __ Affected
Updated: April 10, 2001
Status
Affected
Vendor Statement
Debian has released an advisory on this issue: Debian Security Advisory 045-2:
Przemyslaw Frasunek <[email protected]> reported that ntp
daemons such as that released with Debian GNU/Linux are vulnerable to a
buffer overflow that can lead to a remote root exploit. A previous
advisory (DSA-045-1) partially addressed this issue, but introduced a
potential denial of service attack. This has been corrected for Debian
2.2 (potato) in ntp version 4.0.99g-2potato2.
We recommend you upgrade your ntp package immediately.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Debian Security Advisory 045-2 is available at:
<http://www.debian.org/security/2001/dsa-045>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970472 Feedback>).
FreeBSD, Inc. __ Affected
Notified: April 05, 2001 Updated: April 13, 2001
Status
Affected
Vendor Statement
FreeBSD has released FreeBSD-SA-01:31 at:
<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01%3A31.ntpd.asc>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The FreeBSD ports collection does contain a vulnerable version of ntpd.
A patch has been made available at:
http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/ntp/ntpd/ntp_control.c?r1+=1.1&r2=1.2
This was in response to Problem Report 26358:
<http://www.FreeBSD.org/cgi/query-pr.cgi?pr=26358>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970472 Feedback>).
Hewlett-Packard Company __ Affected
Updated: April 09, 2001
Status
Affected
Vendor Statement
HP is vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
HP has published _HPSBUX0104-148 Sec. Vulnerability in xntpd(1M)_ which includes workarounds to protect users of HP systems running xntpd.
An except from HPSBUX0104-148 is included here:
A. Background A buffer overflow has been discovered on various Unix-derived operating systems in its NTP daemon. Hewlett-Packard Company ships xntpd on HP-UX releases and has determined that it too, is vulnerable.
B. Recommended solution Hewlett-Packard Company recommends that xntpd be shut down on all systems not absolutely needing time-of-day synchronization with Internet standard time servers.
On those remaining time-sensitive systems modify the default configuration file (/etc/ntp.conf) to use the "restrict" clause, to restrict all but allow some.
We provide an example of a simple configuration. Please refer to the man (1M) xntpd for further configuration details.
` # This server syncs from server 192.255.2.3 and provides
time services to client 192.27.16.30, yet
blocks all others.
server 192.255.2.3 prefer
server 127.127.1.1
# allow this client full access
restrict 192.27.16.30
# allow this server full access
restrict 192.255.2.3
# you need both of the following for the localhost
restrict 127.0.0.1
restrict 127.127.1.1
# block everything else
restrict default ignore
NOTE: Patches are currently in development.`
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970472 Feedback>).
IBM Corporation __ Affected
Notified: April 05, 2001 Updated: May 21, 2008
Status
Affected
Vendor Statement
IBM AIX APAR #IY18265 is the fix for this vulnerability for AIX 4.3
IBM AIX APAR #IY19744 is the fix for this vulnerability for AIX 5.1
Future releases of AIX such as 5.2 and 5.3 are not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970472 Feedback>).
Mandriva, Inc. __ Affected
Updated: April 06, 2001
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see MDKSA-2001:036: ntp/xntp3 at:
<http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-036.php3>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970472 Feedback>).
NetBSD __ Affected
Notified: April 05, 2001 Updated: April 05, 2001
Status
Affected
Vendor Statement
Please see NetBSD Security Advisory 2001-004 at:
ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-004.txt.asc
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970472 Feedback>).
OpenBSD __ Affected
Notified: April 05, 2001 Updated: April 06, 2001
Status
Affected
Vendor Statement
No statement from the vendor is available at this time.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The OpenBSD ports collection does contain a vulnerable version of xntp.
The following extract was taken from the GNATs bug report about this issue:
<http://cvs.openbsd.org/cgi-bin/wwwgnats.pl/full?pr=1758>
Here is an addition to the OpenBSD xntpd port that applies
NAKAMURA Kazushi's patch.
How to apply:
# Add the new file: /usr/ports/sysutils/xntpd/patches/patch-ntp_control.c
cd /usr/ports/sysutils/xntpd
make uninstall && make clean && make && make install
reboot # necessary because tickadj is run before system securelevel is changed
Caveats:
The new file /usr/ports/sysutils/xntpd/patches/patch-ntp_control.c is
NAKAMURA Kazushi's patch -- nothing more. It comes directly from the
FreeBSD tree. It may not be OpenBSD's preferred way of doing things,
but it will close the hole until OpenBSD has it fixed.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970472 Feedback>).
Red Hat, Inc. __ Affected
Notified: April 05, 2001 Updated: April 09, 2001
Status
Affected
Vendor Statement
No direct statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
RedHat has issued an advisory regarding this issue at:
<http://www.redhat.com/support/errata/RHSA-2001-045.html>
An excerpt:
The Network Time Daemon (xntpd on Red Hat Linux 6.2 and earlier, ntpd on
Red Hat Linux 7.0) does not properly check the size of a buffer used to
hold incoming data from the network. Potentially, an attacker could gain
root access by exploiting this weakness.
Potential damage is mitigated by the fact that the Network Time Daemon is
not enabled by default. If you are not using network time services, it
may not even be installed. As a general rule, Red Hat encourages users to
enable only those network services they actually need.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970472 Feedback>).
SUSE Linux __ Affected
Updated: April 16, 2001
Status
Affected
Vendor Statement
No statement has been directly received from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
SuSE has released a Security Announcement on this issue: SuSE-SA:2001:10 at
<http://lists.suse.com/archives/suse-security-announce/2001-Apr/0000.html>
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: xntp Announcement-ID: SuSE-SA:2001:10 Date: Monday, April 9th 22:30 MEST Affected SuSE versions: (6.0, 6.1, 6.2), 6.3, 6.4, 7.0, 7.1 Vulnerability Type: remote root compromise Severity (1-10): 8 SuSE default package: no Other affected systems: systems using xntp in newer versions
` Content of this advisory:
- security vulnerability resolved: xntp
problem description, discussion, solution and upgrade information - pending vulnerabilities, solutions, workarounds
- standard appendix (further information)
and linux systems for system time synchronization over a network.
An exploit published by Przemyslaw Frasunek demonstrates a buffer
overflow in the control request parsing code. The exploit allows a
remote attacker to execute arbitrary commands as root. All versions as
shipped with SuSE Linux are affected by the buffer overflow problem.
START_XNTPD in the file /etc/rc.config to “no” so that the daemon
will not be started again upon reboot of the system. Correct the system
time manually if necessary or adjust the time by running ntpdate from
a cron job on a regular basis.
xntpd daemon tends to get forgotten over the years of a system’s life-
time once installed and configured. The xntpd daemon is not started by
default in SuSE Linux distributions. We strongly recommend to immediately
update the xntp package on each system where the daemon is installed,
configured and running.
The xntp update packages for most distributions have been available
for download since Friday last week. The packages for all 6.4 and 7.0
version distributions had to be rebuilt due to a specfile bug that
did not show up earlier and that caused a delay in building packages.
This bug causes the rpm subsystem to complain about the release number
of the package. Now that this bug is corrected, you might find yourself
having installed a package where there is a newer version of the package
on the ftp server. However, regardless of the package release number,
all published packages fix the currently known security problems in the
xntpd network time daemon.
The source rpm of xntp in newer distributions generates two packages:
xntp.rpm and xntpdoc.rpm. It is not necessary to update the xntpdoc
package which is why we do not provide the update packages on our ftp
server. The xntpdoc package only contains the documentation for the
xntp package and did not change in this updated package.
`
Download the update package from locations desribed below and install the package with the commandrpm -Uhv file.rpm’. The md5sum for each
file is in the line below. You can verify the integrity of the rpm
files using the command
rpm --checksig --nogpg file.rpm', independently from the md5 signatures below.
` SPECIAL INSTALL INSTRUCTIONS:
The xntpd daemon must be restarted for the new package to become
active after the installation of the update rpm. You can do this
by running the command
kill -15 pidof xntpd
as root. After performing the upgrade using the rpm command above,
you can restart the xntpd:
rcxntpd start
You should now see the new daemon synchronizing in your syslogs,
depending on where you configured the daemon to write its logs to.
`
i386 Intel Platform:
SuSE-7.1 ``<ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/xntp-4.0.99f-34.i386.rpm>`` 9e39ca8f7b01fef22766463b8295e25d source rpm: ``<ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/xntp-4.0.99f-34.src.rpm>`` dfa51b46c92b917353f52e5d83863478
SuSE-7.0 ``<ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/xntp-4.0.99f-37.i386.rpm>`` 4293ad8a3e084ec5d773bbcab8380c08 source rpm: ``<ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/xntp-4.0.99f-37.src.rpm>`` 745b894dcb6a97caa36f97858a51e279
SuSE-6.4 ``<ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/xntp-4.0.99f-38.i386.rpm>`` 8001ac19d0ee812be82b6b066b4313d5 source rpm: ``<ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/xntp-4.0.99f-38.src.rpm>`` 7d56618cba3d768aa53246f39158987d
SuSE-6.3 ``<ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/xntp-4.0.98d-1.i386.rpm>`` 2f5d7b43b167c6acf13f68b13b1b7989 source rpm: ``<ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/xntp-4.0.98d-1.src.rpm>`` 11182e5e8c3769e6f9498ade9fcbe1fc
SuSE-6.2 (unsupported platform) ``<ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/xntp-4.0.93a-18.i386.rpm>`` 5b55d179e3d4a0c57513bed03013c1a9 source rpm: ``<ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/xntp-4.0.93a-18.src.rpm>`` dbb7c833ddc25b0bde406b4319d4106f
SuSE-6.1 (unsupported platform) ``<ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/xntp-4.0.92c-1.i386.rpm>`` baa93b55a4eaa486968fa6285f04c865 source rpm: ``<ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/xntp-4.0.92c-1.src.rpm>`` 06f0174e8934e3ce6f419284564a7c91
Sparc Platform:
SuSE-7.1 The xntp packages for the SuSE-7.1 sparc distribution are currently pending for being built. They will be available on the ftp server as soon as they are built. The packages are gpg-signed using the key <[email protected]> that should have been installed on your system upon system installation/upgrade. Use the commandrpm --checksig xntp.rpm´
to verify this signature once the packages are available for download.
In the meanwhile, please use the temporary workaround as described above.
SuSE-7.0
<ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/xntp-4.0.99f-19.sparc.rpm>
bea9ea6a88ae68f27962d1b9ad866eac
source rpm:
<ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/xntp-4.0.99f-19.src.rpm>
83243db2982126e1a6ba371ef6dcf59b
`
AXP Alpha Platform:
SuSE-7.0 ``<ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/xntp-4.0.99f-22.alpha.rpm>`` e410a96c44f12ba3d51a4f1f3e056fcd source rpm: ``<ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/xntp-4.0.99f-22.src.rpm>`` 61ed8e66753868735cd14e94cb295718
SuSE-6.4 ``<ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/xntp-4.0.99f-22.alpha.rpm>`` 9460bd3eaf5500c0184d9394b8b86627 source rpm: ``<ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/xntp-4.0.99f-22.src.rpm>`` 5c62ef99f064b687047087562cfe54ca
SuSE-6.3 ``<ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/xntp-4.0.98d-1.alpha.rpm>`` ad8c8494f0aaa06a1690e4edcaa43904 source rpm: ``<ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/xntp-4.0.98d-1.src.rpm>`` 743fe2aba27f1801ac5b14cff2f2edb6
SuSE-6.1 (unsupported platform) ``<ftp://ftp.suse.com/pub/suse/axp/update/6.1/n1/xntp-4.0.92c-40.alpha.rpm>`` d400eeecb9bd0b4347f3fe58f7f90fee source rpm: ``<ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/xntp-4.0.92c-40.src.rpm>`` e2d01c31542ebbf8c740b820a6372ad1
PPC Power PC Platform:
SuSE-7.1 The xntp packages for the SuSE-7.1 ppc distribution are currently pending for being built. They will be available on the ftp server as soon as they are built. The packages are gpg-signed using the key <[email protected]> that should have been installed on your system upon system installation/upgrade. Use the commandrpm --checksig xntp.rpm´
to verify this signature once the packages are available for download.
In the meanwhile, please use the temporary workaround as described above.
SuSE-7.0
<ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/xntp-4.0.99f-21.ppc.rpm>
2d82e8f63df84cb409df7659437c1177
source rpm:
<ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/xntp-4.0.99f-21.src.rpm>
a0bce6c36cf30da1aa587e03103a01f6
SuSE-6.4
<ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/xntp-4.0.99f-21.ppc.rpm>
fe9082268bdf53dddcaad075284f899b
source rpm:
<ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/xntp-4.0.99f-21.src.rpm>
1940b97593e3e134487d294a721e350d
`
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- kernel Please expect security updates of the Linux kernel soon. To resolve all currently known security problems in the Linux kernel, update the kernel manually to version 2.2.19 or wait until the SuSE update rpm packages for the supported distributions 6.3, 6.4, 7.0 and 7.1 are ready to be used and available for download.
- more updates In addition to the kernel update, please expect more packages to see security updates. Currently, this involves vim, mc and sudo.
` - bind8
The update packages for the 7.0 sparc distribution is available.
<ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/bind8-8.2.3-39.sparc.rpm>
c7e2a95bd4b90d03207ffc3a9880c36c
source rpm:
<ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/bind8-8.2.3-39.src.rpm>
5d4d4b608f2a8a3e61f7dc6917254f4f
The SuSE-7.1 sparc distribution was published after the bugs in bind8
were corrected.
3) standard appendix:
SuSE runs two security mailing lists to which any interested party may
subscribe:
[email protected]
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<[email protected]>.
- SuSE’s announce-only mailing list.
Only SuSE’s security annoucements are sent to this list.
To subscribe, send an email to
<[email protected]>.
send mail to:
<[email protected]> or
<[email protected]> respectively.
SuSE’s security contact is <[email protected]>.
===============================================
provided that the advisory is not modified in any way.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
pub 2048/3D25D3D9 1999/03/06 SuSE Security Team <[email protected]>
Version: 2.6.3i
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12Cg==
=pIeS - -----END PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
Charset: noconv
RBesK0QJ/GqEWZh3CI81CyXCHZiyOkKzmUo5+BhX5NU4OnmuvVokofTk/cAQxh1M
6HzcUySvNrru79VwSuFE1nFGuyzWSDkKAAgD2/mP0fSporpinJTeVJm/JkXH3jau
sOq+eIzhi7grtnVgbIueGR8mGrAg8COLlCx7GjYLd+VQxeS+eOtT16sLY4gMDV43
RDzpRA5dWFh48KGkncA5/0Cuvs46LTmBkVDgyflgyG1h+dmrSlfXSvoLyo08lupy
ekFi4zg2H91Bb7SX0FFs456R42S02arJyld2/xm8IR9fkR18Ve12gg==
=6ds6
-----END PGP SIGNATURE-----`
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970472 Feedback>).
Slackware __ Affected
Updated: April 09, 2001
Status
Affected
Vendor Statement
No direct statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Slackware has issued the following advisory regarding this problem:
An excerpt:
The version of xntp3 that shipped with Slackware 7.1 as well as the version that was in Slackware -current contains a buffer overflow bug that could lead to a root compromise. Slackware 7.1 and Slackware -current users are urged to upgrade to the new packages available for their release.
The updated package available for Slackware 7.1 is a patched version of xntp3. The -current tree has been upgraded to ntp4, which also fixes the problem. If you want to continue using xntp3 on -current, you can use the updated package from the Slackware 7.1 tree and it will work.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970472 Feedback>).
Sun Microsystems, Inc. __ Affected
Notified: April 05, 2001 Updated: October 31, 2001
Status
Affected
Vendor Statement
Please see Sun Security Bulletin #00211, also available for download at:
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?type=0&doc=secbull%2F211&display=plain
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Download: 
-----BEGIN PGP SIGNED MESSAGE-----
________________________________________________________________________________
Sun Microsystems, Inc. Security Bulletin
Bulletin Number: #00211
Date: October 23, 2001
Cross-Ref: CERT Vulnerability Note VU#970472
Title: xntpd
________________________________________________________________________________
The information contained in this Security Bulletin is provided "AS IS."
Sun makes no warranties of any kind whatsoever with respect to the information
contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR
IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE
HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE,
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL
OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY
ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN
THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.
If any of the above provisions are held to be in violation of applicable law,
void, or unenforceable in any jurisdiction, then such provisions are waived
to the extent necessary for this disclaimer to be otherwise enforceable in
such jurisdiction.
________________________________________________________________________________
1. Bulletins Topics
Sun announces the release of patches for Solaris(tm) 8, 7, and
2.6 (SunOS(tm) 5.8, 5.7, and 5.6) which relate to a vulnerability
in xntpd(1M), the Network Time Protocol daemon.
Sun recommends that you install the patches listed in section 4
on systems running SunOS 5.8, 5.7, and 5.6 which use xntpd.
2. Who is Affected
Vulnerable: SunOS 5.8, 5.8_x86, 5.7, 5.7_x86, 5.6,
5.6_x86
The xntpd(1M) daemon was not shipped by Sun for earlier releases
than Solaris 2.6.
3. Understanding the Vulnerability
The xntpd is a daemon which sets and maintains a UNIX system
time-of-day in agreement with Internet standard time servers.
xntpd is a complete implementation of the Network Time Protocol
(NTP) version 3 standard, as defined by RFC 1305.
CERT Vulnerability Note VU#970472 is available from:
``<http://www.kb.cert.org/vuls/id/970472>
4. List of Patches
The following patches are available in relation to the above issue.
OS Version Patch ID
__________ _________
SunOS 5.8 109667-04
SunOS 5.8_x86 109668-04
SunOS 5.7 109409-04
SunOS 5.7_x86 109410-03
SunOS 5.6 107298-03
SunOS 5.6_x86 107299-03
_______________________________________________________________________________
APPENDICES
A. Patches listed in this bulletin are available to all Sun customers at:
``<http://sunsolve.sun.com/securitypatch>
B. Checksums for the patches listed in this bulletin are available at:
``<ftp://sunsolve.sun.com/pub/patches/CHECKSUMS>
C. Sun security bulletins are available at:
``<http://sunsolve.sun.com/security>
D. Sun Security Coordination Team's PGP key is available at:
``<http://sunsolve.sun.com/pgpkey.txt>
E. To report or inquire about a security problem with Sun software, contact
one or more of the following:
- Your local Sun answer centers
- Your representative computer security response team, such as CERT
- Sun Security Coordination Team. Send email to:
F. To receive information or subscribe to our CWS (Customer Warning System)
mailing list, send email to:
with a subject line (not body) containing one of the following commands:
Command Information Returned/Action Taken
_______ _________________________________
help An explanation of how to get information
key Sun Security Coordination Team's PGP key
list A list of current security topics
query [topic] The email is treated as an inquiry and is forwarded to
the Security Coordination Team
report [topic] The email is treated as a security report and is
forwarded to the Security Coordination Team. Please
encrypt sensitive mail using Sun Security Coordination
Team's PGP key
send topic A short status summary or bulletin. For example, to
retrieve a Security Bulletin #00138, supply the
following in the subject line (not body):
send #138
subscribe Sender is added to our mailing list. To subscribe,
supply the following in the subject line (not body):
subscribe cws your-email-address
Note that your-email-address should be substituted
by your email address.
unsubscribe Sender is removed from the CWS mailing list.
________________________________________________________________________________
Copyright 2001 Sun Microsystems, Inc. All rights reserved. Sun,
Sun Microsystems, Solaris and SunOS are trademarks or registered trademarks
of Sun Microsystems, Inc. in the United States and other countries. This
Security Bulletin may be reproduced and distributed, provided that this
Security Bulletin is not modified in any way and is attributed to
Sun Microsystems, Inc. and provided that such reproduction and distribution
is performed for non-commercial purposes.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBO9XChbdzzzOFBFjJAQElsAP+MZjJdkGGRAiIIxMqQ2uMN3c6fnOuj0aQ
RPdePjnB7shoiRIAm2tYaJdwh8+d8m5PlQFCdOk+VVn50x6qRTsMWea8wCSD/Zzp
osIjqZePvryLFkV0wiira4vz2ify5gzjPm4OOvGjMbEn1jP9EJB2SMn7vk3XnpKC
aw+Kk5BHoN8=
=8C0I
-----END PGP SIGNATURE-----
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970472 Feedback>).
The SCO Group (SCO Linux) __ Affected
Notified: April 05, 2001 Updated: April 09, 2001
Status
Affected
Vendor Statement
We have now released updated packages:
Caldera OpenLinux 2.3
``<ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/>``
19e51b89951b435061450398e764b753 RPMS/xntp-3.5.93e-5.i386.rpm 08a990b5034679c0a37ebbe20e162d05 SRPMS/xntp-3.5.93e-5.src.rpm
Caldera OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0
``<ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/>``
df892fae73626a11107552d7d1a68e6e RPMS/xntp-3.5.93e-5.i386.rpm 663eb55d629cdcc0212583e92be15d11 SRPMS/xntp-3.5.93e-5.src.rpm
Caldera OpenLinux eDesktop 2.4
``<ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/>``
fe7cffdf379ee9b69890f9fa9ff0f320 RPMS/xntp-4.0.97-2.i386.rpm ff34841b2f01a252e6e31cb91ffcada5 SRPMS/xntp-4.0.97-2.src.rpm
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Further details can be found in _CSSA-2001-013 remote root exploit in ntpd _available at:
<http://www.caldera.com/support/security/advisories/CSSA-2001-013.0.txt>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970472 Feedback>).
The SCO Group (SCO Unix) __ Affected
Updated: April 16, 2001
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has read but not verified the following statement from SCO posted on BUGTRAQ:
Message-Id: <[email protected]> Date: Wed, 11 Apr 2001 12:55:08 -0700 From: Albert Fu <[email protected]> Organization: SCO X-Mailer: Mozilla 4.7 [en] (X11; I; SCO_SV 3.2 i386) X-Accept-Language: en To: [email protected] Sender: [email protected] Subject: SSE073: SCO OpenServer NTP buffer overflow fix
`---------------------------------------------------
TOPIC: NTP remote buffer overflow
PRODUCTS AFFECTED: SCO OpenServer 5.0.0->5.0.6
PATCH: System Security Supplement (SSE) SSE073
PATCH LOCATION: <ftp://ftp.sco.com/SSE/sse073.tar.Z>
<ftp://ftp.sco.com/SSE/sse073.ltr>
SUMMARY: potentially exploitable buffer overflow fixed by SSE073
DATE: April 11, 2001
`
System Security Enhancement (SSE) SSE073 - 11-Apr-2001
Problem:
A buffer overflow was found by Przemyslaw Frasunek <[email protected]> in the NTP daemon. Full exploit details can be found in the BUGTRAQ archive
``<http://www.securityfocus.com/archive/1/174011>``
On SCO OpenServer 5 Release 5.0.6 systems, the NTP daemon is /etc/ntpd.
This exploit doesn't actually "work" on OpenServer. However, a small effect can be observed.
To observe the effect, run ntpdc and give it the "ctlstats" command. An exploit attempt registers as an increment of 2 to the "requests received" and "responses sent" counters.
Running the fixed version of ntpd, an exploit attempt registers as +2 "requests received", +2 "responses sent", +1 "total bad pkts" and +1 "error msgs sent".
We find this difference sufficient to feel confident that the _specific_ problem has been corrected.
Patch:
The patch is located at: ``<ftp://ftp.sco.com/SSE/sse073.tar.Z>`` ``<ftp://ftp.sco.com/SSE/sse073.ltr>``
This patch is applicable to all releases of OpenServer 5. However, the "install-sse073.sh" program to install the binary can be used on Release 5.0.6 ONLY.
This patch contains a replacement for the /etc/ntpd binary in Release 5.0.6. If you wish to use this binary on Releases 5.0.0 up to 5.0.5, you can install the binary manually. Note that on these older releases, /etc/xntpd (based on NTPv3) was shipped by default; hence, configuration files based on xntpd may have to be modified.
Installation:
1. We reccommend you drop into single user mode to install this SSE (though this is not enforced).
2. Uncompress and extract the SSE into a temporary directory of the server (eg. /tmp/sse073).
# uncompress sse073.tar.Z
# tar xvf sse073.tar
3. Execute the install script. Follow the instructions at the prompt.
# ./install-sse073.sh
Note: "Warning" messages simply explain that because a specific file was not found on the current server, it was not replaced. If a system has custom binaries or paths, this patch may not succeed.
4. Clean up.
A backup of the orginal binaries will be saved in: /opt/K/SCO/sse/sse073
The following files will be left over after patch installation and can be removed:
./install-sse073.sh ./sse073.files.tar
The following files will be left over after patch installation and can be moved to an archival directory in case the patches are needed again:
./sse073.tar ./sse073.doc
Checksums of the packages:
sum -r ./sse073.tar`: 53459 `sum -r ./sse073.files.tar`: 61075 ` `References: ` `The vulnerability addressed in this patch was found by: ` `Przemyslaw Frasunek <[email protected]> ` `For more details, see the following BUGTRAQ archive: ` ` <http://www.securityfocus.com/archive/1/174011>``
Disclaimer:
SCO believes that this patch addresses the reported vulnerabilities.
However, in order that it be released as soon as possible, this patch
has not been fully tested or packaged to SCO’s normal exacting
standards. For that reason, this patch is not officially supported.
Official supported and packaged fixes for current SCO products will
be available in due course.`
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970472 Feedback>).
University of Delaware __ Affected
Updated: April 09, 2001
Status
Affected
Vendor Statement
The patch I sent out applies to the NTPv4 99k distribution which for safety I fetched directly from its public place. For record:
--- ntp_control.c.1Thu Apr 5 21:41:56 2001 +++ ntp_control.cThu Apr 5 21:43:02 2001 @@ -1824,6 +1824,8 @@ while (cp < reqend && *cp != ',') *tp++ = *cp++; +if (tp >= buf + sizeof(buf)) +return (0); if (cp < reqend) cp++; *tp = '\0';
Not fancy; it's been a long day.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Target CVS repository:
Target patched version:
<ftp://ftp.udel.edu/pub/ntp/ntp4/ntp-4.0.99k23.tar.gz>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970472 Feedback>).
Fujitsu __ Not Affected
Updated: April 06, 2001
Status
Not Affected
Vendor Statement
Regarding the ntpd buffer overflow vulnerability, Fujitsu's UXP/V operating system is not vulnerable because it doesn't support ntpd.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970472 Feedback>).
Cisco Systems, Inc. __ Unknown
Updated: April 13, 2001
Status
Unknown
Vendor Statement
IOS is not vulnerable to the ntpdx exploit as it is posted to the Bugtraq. However, to be
on the safe side, we recommend that you include this line in your config:
ntp access-group serve-only
This will allow only time requests but ignore control queries.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970472 Feedback>).
View all 18 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-004.txt.asc>
- http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/ntp/ntpd/ntp_control.c?r1+=1.1&r2=1.2
- <http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/net/ntp/files/patch-ntp_control.c (patch for ntp-4.0.99k)>
- <http://www.faqs.org/rfcs/rfc1305.html>
- <http://www.ntp.org/>
- <http://www.securityfocus.com/bid/2540>
- http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?type=0&doc=secbull%2F211&display=plain
Acknowledgements
The CERT/CC thanks Przemyslaw Frasunek for reporting this issue.
This document was written by Jeffrey S. Havrilla
Other Information
| CVE IDs: | CVE-2001-0414 |
|---|---|
| Severity Metric: | 79.65 Date Public: |
References
ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-004.txt.asc
sunsolve.Sun.COM/pub-cgi/retrieve.pl?type=0&doc=secbull%2F211&display=plain
www.faqs.org/rfcs/rfc1305.html
www.FreeBSD.org/cgi/cvsweb.cgi/ports/net/ntp/files/patch-ntp_control.c (patch for ntp-4.0.99k)
www.freebsd.org/cgi/cvsweb.cgi/src/contrib/ntp/ntpd/ntp_control.c?r1+=1.1&r2=1.2
www.ntp.org/
www.securityfocus.com/bid/2540
Related
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.968 High
EPSS
Percentile
99.7%